Hi guys, this question is probably stupid, but since there has been found a flaw in the kernel, I ve thinking of a lot of things related with the open source software.
And these posts must be isolated and hardware related, but I wanted to mention them:

Now, my question: how many users really have a look at the open code? I mean, how many users would be able to check if there s some hidden or subtile security breach?
Would it be possible to drop in many progs some security flaws, then, sleeping killers, and when open source becomes the reference in terms of OS distribution in the world, would it be then factible to wake up those security flaws and create a HUGE mess?

I know I m paranoid, and it sounds really freak. But what if that kernel mistake were intentiously done? This one and others, ready to operate, at some time or another?

Is there a hard security organism that checks every single line of code? Or is this totally impossible?
How many users never ever looked at a code? How many would be able to find a security flaw?...

Hi guys, this question is probably stupid, but since there has been found a flaw in the kernel, I ve thinking of a lot of things related with the open source software.

I would not say "stupid", but it is certainly based on smoke. Vulnerabilities are discovered every day in the kernel and in many other pieces of software, just use glsa-check. This latest one is not different in any regard. I don't know why people are so worried about it. The difference, is that here they are discovered and fixed. While on some other OSes they are not, and that's why you don't see it (or maybe it is just because these other OSes are perfect, who knows? ).

pathfinder wrote:

Now, my question: how many users really have a look at the open code? I mean, how many users would be able to check if there s some hidden or subtile security breach?

Probably, every big enterprise using linux on their servers. There're lot os enterprises that makes security audits for the kernels and servers that they use. And there are quite a lot, don't forget apache, php, mysql, sendmail and many other. Particulars also do to some extent. In addition, there are literally hundreds of kernel hackers acting on their own, revising the code, and making custom patchsets: all of these read, change and understand the linux kernel code. By the way: the linux kernel devs are not gods nor separate entities. You can become one if you wish with enough dedication, and the whole process is open, and the kernel lists have an amazing amount of traffic. If you subscribe to them you will see what I mean, and you will see how ridiculous your theory is. I used to get around 300-500 mails a day on that list, and sometimes even more. So: no, you can never be 100%. But with a closed source OS you are actually 0% sure, because you can't look at the code at all.

So, I can't get your point at all. Even if the security is not 100%, it is far far more than you can get with any closed source product. So, what are you asking about?

Quote:

Would it be possible to drop in many progs some security flaws, then, sleeping killers, and when open source becomes the reference in terms of OS distribution in the world, would it be then factible to wake up those security flaws and create a HUGE mess?

Theoretically, and technically, it is also possible that someone called Darth Vader comes one day on a space ship with a light saber to visit us. Possibly... but I'd say it's higly improbable... well, maybe not the for the light saber part. It's much more probable that such a treat is hidden into a closed source system that is much much much more extended world-wide, can you see the logic?

Quote:

I know I m paranoid, and it sounds really freak. But what if that kernel mistake were intentiously done? This one and others, ready to operate, at some time or another?

This is the well-known argument in the philosophy of the last centuries. What if we are just the product of someone else's imagination? (Read "Sophia's world" from Jostein Gaarder or whatever it's called in English, just as an example). Well, if that's the case, there's no place for safety in this whole world, and as such, you shouldn't worry either, because we are already damned.

Quote:

Is there a hard security organism that checks every single line of code? Or is this totally impossible?
How many users never ever looked at a code? How many would be able to find a security flaw?...

By this same logic, there would be a need for another organism to control the control organism. That logic is flawed. It is precisely the fact that the security audits are not centralized, which guarantees that no one (unless s/he has god-like powers) can control it to his/her will.

I would just go on holidays and use windows for a while, then you will come back a lot more relaxed

EDIT. Take the whole post with a grain of salt. I wrote it in a semi-humoristic fashion _________________Gentoo Handbook | My website

Would it be possible to drop in many progs some security flaws, then, sleeping killers, and when open source becomes the reference in terms of OS distribution in the world, would it be then factible to wake up those security flaws and create a HUGE mess?

I don't see why this is open source related. The same can be said by closed-source software, and it'll be much harder to find out._________________Please add "[solved]" to the initial topic title when it is solved. TIA.
Linux Sea (PDF), an online e-book on Gentoo Linux

As already mentioned, it is possible that ANY program can have data miners, callbacks, and other threats to security coded into them. However, it will be much more noticeable in open source software than in closed-source._________________“Truth, like infinity, is to be forever approached but never reached.” --Jean Ayres (1972)
---avatar cropped from =AimanStudio---

ok guys ok
wowowowowowow it s ok, it was stupid. No need to crucify me, I just asked... You answered. It s ok. I m really happy for your answers, but ok, sorry if I annoyed anyone. I ll ask dark vador to come and kill me before anyone else
you know, i felt stupid asking, i thenked the Chat thing for the posting... otherwise I would have never asked such a thing. But now, you know, I feel EVEN MORE Stupid than before. Fresh air. Wow. I ll go out for a while in my spaceship and try to find a place where no one remembers me

ok guys ok
wowowowowowow it s ok, it was stupid. No need to crucify me, I just asked... You answered. It s ok. I m really happy for your answers, but ok, sorry if I annoyed anyone. I ll ask dark vador to come and kill me before anyone else
you know, i felt stupid asking, i thenked the Chat thing for the posting... otherwise I would have never asked such a thing. But now, you know, I feel EVEN MORE Stupid than before. Fresh air. Wow. I ll go out for a while in my spaceship and try to find a place where no one remembers me

I wasn't trying to make you feel stupid at all. I'm sorry if it came off that way; it wasn't a stupid question. _________________“Truth, like infinity, is to be forever approached but never reached.” --Jean Ayres (1972)
---avatar cropped from =AimanStudio---

I don't see why this is open source related. The same can be said by closed-source software, and it'll be much harder to find out.

I completely agree. From the comsumer perspective, the only thing that is better for closed source software when some big screw-up happens is that you've got a support hotline number where you can call and scream your head off for $0.99/minute.

So the bottom line here is IMO: Yes, we should worry. But so should everybody else...

Last edited by Voltago on Sun Feb 24, 2008 11:43 pm; edited 1 time in total

Sounds like all the issues referenced in the top post are hardware issues a one possible security breach of some kind (yet to be determined).

It seems clear to me that even the most "secure" and trustworthy OS can be insecure or broken in the wrong hands (unless you're just unlucky and discover a bug or security hole). *NIX is inherently more secure than Windows, even if only because the vast majority of viruses and Root Kits are written for windows! That's were most of the "hackers" market is.